-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stabilization Improvement for the Helm Charts (for Resource-Limited Environments) #933
Merged
Merged
Changes from all commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
ef22bff
attempt 2
v0lkan 3d9f9b5
add priorityclassname
v0lkan 64ad283
add health check to spire agent
v0lkan 3b40de0
increase wait timeout
v0lkan 62bab5a
add probes to spire-server
v0lkan c2946f0
add controller manager health checks
v0lkan 1c3ea8d
attempt 2
v0lkan 387f61f
attemp 3
v0lkan f3b238e
BundleEndpoint update
v0lkan b8acb03
add notifier
v0lkan c643251
whitespace
v0lkan 05a7dce
updated agent and server versions
v0lkan f47796d
1.9.4
v0lkan 02cb199
version change
v0lkan f16e730
update spire controller manager
v0lkan 47d159b
spiffe csi driver update
v0lkan File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role-binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# /* | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Split these to individual files to make it easier to diff/merge with |
||
# | Protect your secrets, protect your sensitive data. | ||
# : Explore VMware Secrets Manager docs at https://vsecm.com/ | ||
# </ | ||
# <>/ keep your secrets... secret | ||
# >/ | ||
# <>/' Copyright 2023-present VMware Secrets Manager contributors. | ||
# >/' SPDX-License-Identifier: BSD-2-Clause | ||
# */ | ||
|
||
# Binds above cluster role to spire-agent service account | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: spire-agent-cluster-role-binding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: spire-agent | ||
namespace: {{ .Values.global.spire.namespace }} | ||
roleRef: | ||
kind: ClusterRole | ||
name: spire-agent-cluster-role | ||
apiGroup: rbac.authorization.k8s.io |
19 changes: 19 additions & 0 deletions
19
helm-charts/0.24.5/charts/spire/templates/spire-agent-cluster-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# /* | ||
# | Protect your secrets, protect your sensitive data. | ||
# : Explore VMware Secrets Manager docs at https://vsecm.com/ | ||
# </ | ||
# <>/ keep your secrets... secret | ||
# >/ | ||
# <>/' Copyright 2023-present VMware Secrets Manager contributors. | ||
# >/' SPDX-License-Identifier: BSD-2-Clause | ||
# */ | ||
|
||
# Required cluster role to allow spire-agent to query k8s API server | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: spire-agent-cluster-role | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods","nodes","nodes/proxy"] | ||
verbs: ["get"] |
56 changes: 56 additions & 0 deletions
56
helm-charts/0.24.5/charts/spire/templates/spire-agent-config-map.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# /* | ||
# | Protect your secrets, protect your sensitive data. | ||
# : Explore VMware Secrets Manager docs at https://vsecm.com/ | ||
# </ | ||
# <>/ keep your secrets... secret | ||
# >/ | ||
# <>/' Copyright 2023-present VMware Secrets Manager contributors. | ||
# >/' SPDX-License-Identifier: BSD-2-Clause | ||
# */ | ||
|
||
# ConfigMap for the SPIRE agent featuring: | ||
# 1) PSAT node attestation | ||
# 2) K8S Workload Attestation over the secure kubelet port | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: spire-agent | ||
namespace: {{ .Values.global.spire.namespace }} | ||
data: | ||
agent.conf: | | ||
agent { | ||
data_dir = "/run/spire" | ||
log_level = {{ .Values.global.spire.logLevel | quote }} | ||
server_address = "spire-server" | ||
server_port = {{ .Values.global.spire.serverPort | quote }} | ||
socket_path = "/run/spire/sockets/agent.sock" | ||
trust_bundle_path = "/run/spire/bundle/bundle.crt" | ||
trust_domain = {{ .Values.global.spire.trustDomain | quote }} | ||
} | ||
|
||
health_checks { | ||
bind_address = "0.0.0.0" | ||
bind_port = "9982" | ||
listener_enabled = true | ||
live_path = "/live" | ||
ready_path = "/ready" | ||
} | ||
|
||
plugins { | ||
NodeAttestor "k8s_psat" { | ||
plugin_data { | ||
cluster = "vsecm-cluster" | ||
} | ||
} | ||
|
||
KeyManager "memory" { | ||
plugin_data { | ||
} | ||
} | ||
|
||
WorkloadAttestor "k8s" { | ||
plugin_data { | ||
skip_kubelet_verification = true | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
helm-charts/0.24.5/charts/spire/templates/spire-agent-service-account.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# /* | ||
# | Protect your secrets, protect your sensitive data. | ||
# : Explore VMware Secrets Manager docs at https://vsecm.com/ | ||
# </ | ||
# <>/ keep your secrets... secret | ||
# >/ | ||
# <>/' Copyright 2023-present VMware Secrets Manager contributors. | ||
# >/' SPDX-License-Identifier: BSD-2-Clause | ||
# */ | ||
|
||
# ServiceAccount for the SPIRE agent | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: spire-agent | ||
namespace: {{ .Values.global.spire.namespace }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,8 +19,8 @@ data: | |
kind: ControllerManagerConfig | ||
metrics: | ||
bindAddress: 127.0.0.1:8082 | ||
healthProbe: | ||
bindAddress: 127.0.0.1:8083 | ||
health: | ||
healthProbeBindAddress: 0.0.0.0:8083 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure about the 0.0.0.0 binding; I’l take a note to test it with 127.0.0.1 too |
||
leaderElection: | ||
leaderElect: true | ||
resourceName: 98c9c988.spiffe.io | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approximately every 1 out of 20 attempts this was taking slightly larger than 30secs (default) on the build server. 60s should be good enough of a limit.